Recently, SBA’s CIO Maria Roat tweeted that the “SBA OCIO is burning the bridges behind us - no going back.” This week, the SBA’s CTO Sanjay Gupta joins us to talk about how the SBA is forging ahead with innovation and also discuss his cybersecurity predictions for 2019.

… and don’t forget to sign up for upcoming episode alerts!

How to Listen

Introducing Sanjay Gupta, CTO for the Small Business Administration

Arika Pierce: Hi and welcome back to episode 16 of To The Point Cybersecurity. I am one of your co hosts Arika Pierce, and I have with me as always Eric Trexler. How are you doing Eric this week?

Eric Trexler: Hey Arika, I'm doing well.

Arika Pierce: Good, good. Well we have a guest this week that I think will be incredibly interesting to a lot of our listeners. We have the Small Business Administration or SBA the CTO Sanjay Gupta. Thank you Sanjay so much for joining us this week.

Sanjay Gupta: Glad to be here.

Burning Bridges: Trailblazing at the SBA

Arika Pierce: Excellent. Let's start with this Sanjay, I was recently sort of looking at your Twitter and you retweeted something from Maria Roat the CIO in which she talked about the fact that SBA is burning bridges, you guys are not going back, and you said you guys are truly trailblazers, your leadership is bold and courageous. Tell me more about that. What is the SBA doing in terms of burning bridges and really sort of leading the charge in innovation along in terms of your technology, especially around your cybersecurity?

Sanjay Gupta: Yeah I should begin by mentioning that this quote “burn the bridges behind us”, it was used in relation to SBA's Cloud journey, which we had started back in the spring of 2017. Like I've mentioned or we have talked in the past, the OCIO leadership team is what we call is a forward leading leadership team, and we are really not satisfied with the status quo.

Communicating our commitment

In this case, specifically what we were trying to communicate was our commitment, our confidence and our conviction to the transformation and the innovation we were taking in relation to the Cloud journey. For example, when we started a Cloud journey back in the spring of 2017, we decided to rightsize some of our software and hardware maintenance contracts for our primary data center. Mind you, we were making these decisions which would be effective in the fall of 2017. Here we are in spring of 2017, we're looking forward in time, and we're saying we really don't need to spend so much money for example for maintenance of UPS's in our primary data center come fall of 2017 'cause we'll be migrating to the Cloud.

Sanjay Gupta: That's why I would say that's a pretty bold and a courageous move sort of thinking ahead six nine months ahead, and trying to make that choice. It was also a show of our commitment like I said earlier, so that's what it was referencing.

Was there initial resistance to all these changes?

Eric Trexler: Sanjay, there's no question that the work that you and Maria and the team are doing is forward leaning. Is it just something you're saying to let everybody know, “Hey we're going forward”, or was there initial resistance that you had to overcome at SBA, and somebody had to put the statement out, which I believe is more has a military background, “We're going to burn the bridges?” You have no question but to fight because you can't go back.

Sanjay Gupta: You're absolutely right Eric. There was initial resistance, and that's always natural the inertia when you're undertaking a transformation is always there, and you have to be able to overcome the inertia. In this case, we had a very compelling reason that we needed to migrate off our primary data center and into the Cloud.

This was a message for our larger team at the OCIO and SBA also to our partners who we were working with and to the team itself to say

“Our leadership team is so committed that there is no going back, and we are confident that we will achieve this.”

Leaders making bold choices

That's why I say it's very bold and courageous because not many leaders have the ability to make some bold choices. They are able to burn the bridges behind them with the clear intention of saying, “We're marching forward.” Yeah you're right, yes it also has a military background here, Maria being from the Navy I'm sure there has been some reference to it her past life.

Eric Trexler: That's really a bold statement. You're basically saying “Hey we're betting it all on the Cloud.”

Sanjay Gupta: Yes it is a bold statement, there is no question about it. There is no turning back, there's only one path turning forward, and we are all in this journey together, and we'll meet this objective together. Yes it is a very bold and a courageous statement.

Eric Trexler: I love that. I love that, let's put it all on the line, let's do what we think is the right thing to better secure this organization.

Being bold and risk averse at the same time

Arika Pierce: Well especially because it's no secret that government can often times be risk adverse, so to really just forge ahead and to again be that trailblazer, I really do commend the SBA for that. I have to ask Sanjay, in terms of just some of the challenges that you've seen in the work that you're doing as CTO, there's been a couple of recent  reports that have come out towards the end of the year that have talked about some of the things that agencies have had to overcome as far as things such as the migration to the Cloud and protecting their networks, things like that. What have you seen just in terms of this past year that you feel as though SBA will do differently or refocus its efforts in the coming year that you can share with us?

Sanjay Gupta: Yeah so one of things we did I said was initially this year in 2018 we set up a very simple but a powerful vision to protect SBA's IT assets. Let me kind of try and describe that in a very simple manner. We wanted to look at all IT assets in SBA.

A location agnostic vision

What I mean by that is regardless of what they are located. What I mean by that again is if these assets are on the premise or in a Cloud. It doesn't matter in which Cloud they are in. We at the SBA have a primary Cloud footprint in AWS and Azure. We also have other Cloud services like SaaS offerings through Salesforce, Adobe and a few others, and then obviously we have mobile devices, that's sort of if you think about it, our footprint across different landscapes where our assets exist.

What we set the vision for was we said we need one set of tools. I say one set of tools again in a conceptual manner that will manage and secure all of these IT assets, and regardless of where they sit, like on a Cloud, in on premise, in mobile.

One set of tools to rule them all

Sanjay Gupta: We wanted to use this one set of Cloud tools, and we wanted to deploy these tools which are native tools, or native Cloud based tools I should say in the Cloud instance that we had set up. Rather than setting up two or three different types of tools or in two three different types of environments, one set of tools look at on prem, one set of tools look for mobile devices, and one set of tools manage and monitor and secure our Cloud devices, we said,

“No, we're going to use one set of security monitoring management tools that look across the board from all of these things.”

This was quite a turning point for us in 2018. Why I say this is a turning point for us was because we looked at this in a holistic manner. Let me give you a specific example, and I know you've heard us talk about it and seen some things written in the press about the tech modernization, or the trusted internet connection modernization effort that we embarked on in spring of 2018.

An overarching umbrella

Sanjay Gupta: We didn't look at the tech [inaudible 00:08:12] the DHS mandated continuous diagnostics and mitigation program as unique programs. We're looking at all of those programs under the overarching umbrella of SBA's vision to protect all IT assets. Quite frankly the tech or the CBM and for that matter the Einstein [inaudible 00:08:32] are really byproducts.

What I mean by that is really we're not trying to make the objectives or the controls that are required by the tech or CBM or Einstein, we're saying when we deploy these set of tools, we think we have actually met the objectives of these programs and some more. That's how we've been approaching cyber security at the SBA, and that's quite frankly not only revolutionary, but it's transformative because what we have done so far now is we've shown this to many people. In fact, I just had it demoed yesterday, we had people from DHS, from Treasury, from [inaudible 00:09:08] from JPO, from the Air Force.

Showing off the tools the SBA has developed

Sanjay Gupta: So far, we have done proudly 25 or so demos in the last nine months, and we've invited people from variety of different agencies, probably I think my count would be 30 plus different agencies and bureaus, and probably five to 600 people we've given this demo for. What we're showing is these tools in live production use. We're showing to people what capabilities we have.

We're also showing what capabilities we do not have by the way right? We've been open kimono about it. I think we've had nothing but a very overwhelming response from DHS, from [OMB 00:09:48] from [TSA 00:09:49] and all of our partners, because we've shown to them that we have a very cost effective and a time effective and time efficient manner. I know Eric we've been at events together, and I know you've talked about time to respond in cybersecurity is very, very critical.

Sanjay Gupta: Often times, it's not because you did not detect something in time, it is the action you took probably took longer than you probably needed to take.

Simplicity and speed

We're focusing on simplifying our environment, and we're focusing on our ability to be able to respond to things in a quicker manner. That's really what I think has been real key for us from a clouded option standpoint, and being able to look at cybersecurity in a manner which usually has not yet been looked at in the federal government, at least in my knowledge.

Our work is really not only informing what SBA is doing, but more importantly it's informing some of the policies and the guidance coming out of [OMB 00:10:43] whether it's in relation to Cloud smart strategy, or in relation to the tech modernization policy, which was recently released for public comment. We're hoping that we should also be able to do something very similar with the DHS team.

Innovation in Government and Heading into 2019 at the SBA

Sanjay Gupta: We have a draft of our project scope, and charter defined, we hope to kick that off here in January in a very similar 90 day pilot. What we want to be able to demonstrate via this process is that we actually are meeting the intent, and the goals of [CBM 00:11:14] all four phases quite frankly by the tools we already deployed.

Anyways, it's a long ways of answering your question, but I think we are quite excited about what we have been doing, and what's in future for us. By the way, as a side product of these things, you had mentioned about some of the audits right? We've also had our audit, and we've had our discussion with our auditors. I think one of the things we are also realizing is because in the space of the Cloud, things are moving so fast, the bearings have changed, some of the audit people are still sort of let's say working towards gaining more knowledge in these newer environments.

Sanjay Gupta: Often times you see the responses are rooted in the on premises environment, and the paradigm of computing that used to be in the on premises world. We're also helping them inform and learn about this thing. By the way, when I was talking about Treasury, the folks from the [inaudible 00:12:14] and Treasury were visiting with us for our demo. Anyways, I'm just happy because I've taken a long time and answer your super question.

It's hard to move fast on infrastructure built up over decades

Eric Trexler: That's a great point. I think many times we forget that there's a whole infrastructure that's been built up over decades. Even when you want to go fast, I mean we hear it a lot of times around acquisition reform, right? The business, the agency wants to go fast but they can't. The auditor side is interesting, it sounds like you might be scoring lower in some areas because the auditors haven't updated the requirements to audit or understand what you're doing and why you're doing it, which in a Cloud environment is absolutely different than it is in a traditional IT on prem environment.

Sanjay Gupta: You're absolutely right Eric, and I think that's part of what we are hoping to do is improve the information, improve the knowledge about the new models that have now existed because of the Cloud being in play. Yeah it's somewhat challenging sometimes, but at the same time, we are up for challenges. Like I said earlier, our leadership team is all about challenging the status quo. We recognize where they're coming from, there's nothing right or wrong about it. It's our jobs if you will to help them sort of see how this change in this world. Yeah sometimes it's difficult, but hey we didn't sign up for something easy.

What would the SBA have done differently, looking back?

Eric Trexler: Okay you burned the bridges right, you have the challenges that you have. What would you have done differently now that you get to look back at the journey so far? Where did you make mistakes? Where would you have been more efficient?

Sanjay Gupta: Oh yeah good point. I think as we kind of look back in time and we all should learn from what we did and we are fast learners, so some of the things that we are learning now is that we could probably have moved even faster. That's one thing even though we move fast and we feel we're moving fast, at least in the federal world, we could have even moved faster.

Comfortable in putting yourself out of your comfort zone

One of the components that we could have moved faster and if we had to do this all over again is the fact that our workforce, and this is also an important part of the equation here is you have to have a workforce which is sort of what I call is leading edge or working with newer technologies. What I call is you have to become comfortable in putting yourself out of your comfort zone. Let me say that one more time slowly.

Sanjay Gupta: All of us, we have really two choices, we will be either forced out of our comfort zones by other forces, market forces whatever you want to call that, or we could ourselves knowingly put ourselves out of our comfort zones and be able to learn new things, acquire new challenges, and address those new challenges on our terms if you will. That's another aspect if you think about from a human standpoint a workforce standpoint, a lot of us tend to become comfortable working in our comfort zones.

At some point, we are forced to move

There's nothing right or wrong about it, but the way the technology world moves, at least from my perspective and my professional experience that I have had, I have always found that if I choose to stay in my comfort zone, I could stay there, but at some point in time, I will be forced to move out of my comfort zone or the consequences of staying in my comfort zone are probably that's, not going to be very pretty, right?

Sanjay Gupta: That's another aspect that we have naturally had a challenge with, and we're continuing to work with these challenges, how do we motivate people to become comfortable to operate outside of their comfort zone? What does that translate into? It translates into saying, “Okay you know what? This is about trying to do things, learn fast, make mistakes.” It's okay to make mistakes, as long as we realize we're making mistakes in a sincere fashion where we need to learn from it, and need to learn from it quickly and move on, that's sort of a fast fail methodology right?

Leadership plays a supporting role

That's also about leadership, the leadership needs to be willing to say, “You know what? I'm giving you the ability to work in this model, and if you have some failures in this process and learning, that's okay, we all are learning. Nobody was born knowing everything that we have known today, we all learned it and we all made mistakes.”

Sanjay Gupta: That's sort of the other side of this equation which is we need to be able to empower our teams and individuals to say, “Okay go out, experiment, learn something new” and in that process if there's mistakes you make, that's perfectly fine, learn from it, move on and continue to sort of take on the next challenge. Again, I'm saying a mouthful here, but the net of it is this is the way I crystallize in my sayings, in my other presentations is, we all need to become comfortable in being able to operate outside our natural comfort zones.

Eric Trexler: We have to be comfortable being uncomfortable is the translation.

Wrapping up this week's episode

Arika Pierce: Yeah which are some great leadership principles. I wish Sanjay you had been sort of my boss in my early stages in my career in terms of making-

Eric Trexler: It's nice being told it's okay to fail.

Arika Pierce: Yeah and make mistakes but learn from them. I think especially in terms of being uncomfortable, being comfortable with being uncomfortable, that especially applies in technology right because it's so it's changing every day, it's changing so fast.

You have to be willing to step outside what you are comfortable with in order to keep up especially with the ever changing by the minute these days world of technology, especially in the space of cybersecurity.

Guys, we had a few technical difficulties on this episode, so we had to cut it a little short, but wanted to say thank you so much to SBA's Sanjay Gupta. His insight on this episode was so great that we did not want to lose anything that he said by re recording it. Also, thank you to all the listeners out there, so sorry again about the technical difficulties, but that's what happens when we try to keep it to the point. Please do subscribe to the podcast, please leave us a comment, rate us, and also let us know what you want to talk about.